Fake Fortnite Apps for Android Spread Spyware, Cryptominers

An array of malicious Android apps purporting to be the popular game known as Fortnite are accessing cameras, harvesting and wiping device data, and recording audio on victims’ phones.

Researchers at Zscaler’s ThreatLabZ said that bad actors are taking advantage of Fortnite owner Epic Games’s recent announcement that it would extend the game’s support to mobile platforms.

Fortnite has 45 million players, making it one of the most popular games currently on the market. Epic Games has launched a version for iOS, but an Android version has not yet been announced. So, when Android users search for it in app stores, they’re finding fake Fortnite apps instead — and they’re riddled with malware.

“There is no official news from Epic games about the release of the Fortnite game on the Android platform,” researchers said in a blog post. “Users should beware of malware authors looking to exploit their desire to play Fortnite on Android. We urge users to download games only from authorized and legitimate sources, such as Google Play.”

ThreatLabZ researchers said that they observed Android spyware, cryptomining malware and a scam app claiming to help players earn free V-bucks, the virtual currency used within the game. The latter was actually found in Google Play, a Zscaler spokesperson told Threatpost, but the remaining were found on third-party app stores.

One case of Android spyware purports to be the game, showing an icon with the Fortnite name when downloaded. However, upon installation, the spyware begins to harvest call logs – including missed calls and phone contacts. It can also make calls, and features a prompt enabling Accessibility services, meaning it can obtain certain privileged operations without user interaction.

“This spyware creates a ‘files’ folder under its installation directory,” researchers said. “Under that directory it writes all logs on a daily basis…Along with the data, keylogging activity is visible…where the spyware is reading keystroke by keystroke and storing the data to file.”

In another incident, researchers said they observed a coin-miner payload being spread under a false Android APK  domain. The CoinHive JavaScript is embedded in the file, named as “engine.html” in the asset folder of an Android package, researchers said. The engine.html file is then called from the asset folder in the code to trigger the coin-mining activity.

“We monitored the app on a device and found that this coin-mining app significantly raises CPU usage once installed,” researchers said.

The app found in Google Play claiming to help Fortnite players earn free V-Bucks shows a fake Fortnite Battle Royal V-Bucks generator screen upon installation. It then prompts users to take a survey and download other apps.

“After completing the survey and downloading the suggested apps, the user doesn’t receive free V-Bucks, but the app author definitely generates real revenue,” researchers said. “This fake app was downloaded over 5,000 times, and has been rated five stars over 4,000 times, before we reached out to Google Security team who promptly removed the app.”

Attackers have long flocked around enthusiast gamers and popular video games. During the peak popularity of Pokemon GO, attackers pushed SMS spam messages to entice players to visit a series of malicious websites. Later, researchers found a malicious backdoor version of the app on a file repository service.

“In the past, the ThreatLabZ research team has seen fake Super Mario and Pokemon GO apps in the wild during the release of the legitimate versions,” researchers said. “We observed this trend with Fortnite as well, in which multiple instances of Android malware were posing as the Fortnite game.”

Neither Epic Games nor Google responded to an email requesting for comment from Threatpost.